Using wireshark to snoop encrypted traffic and capture files

This applies to your own web session; it won’t work if you don’t control the browser.  Otherwise you need a man-in-the-middle proxy. The procedures devoted to creating a secure key log file work on Linux and might work on BSD or Mac OS X.

Sometimes you need to look at the plaintext of your own TLS (formerly SSL) sessions.  I was thinking of hacking the SSL library to get the keys out, but it turns out that has already been done, and is installed in the stock NSS library since version 3.14. Other programs using the NSS library will also use SSLKEYLOGFILE. You could also use firefox extensions such as  Live HTTP headers or maybe scriptish/greasemonkey to grab the data before it gets encrypted.

Anyway, here is how you make wireshark decrypt an SSL session and save all of the files which were returned.  These procedures ensure that the secret key files will be gone once you close the shell terminal window, wireshark, and firefox.

Create a secure temporary file, open it in bash for reading and writing as file descriptor 3, and delete it.  From bash reference manual, exec builtin:  “If no command is specified, redirections may be used to affect the current shell environment.”

$ f=$(mktemp); ls -l $f; exec 3<>$f; rm $f; ls $f; lsof -d3 -a -p$$
-rw-------. 1 edward edward 0 Sep 30 13:09 /tmp/tmp.VQw5BPHFlc
ls: cannot access /tmp/tmp.VQw5BPHFlc: No such file or directory
COMMAND … FD … NAME
bash    … 3u … /tmp/tmp.VQw5BPHFlc (deleted)

Quit from firefox (that is absolutely essential), and restart it as a child of this bash, with SSLKEYLOGFILE environment variable set to access file descriptor 3.  For convenience, set ffpid to the process ID of firefox. (The &>/dev/null redirection of stdout and stderr is necessary since the $(…) command substitution would otherwise wait for firefox to exit. “There are two formats for redirecting standard output and standard error: &>word , and >&word . Of the two forms, the first is preferred. This is semantically equivalent to >word 2>&1 .”)

$ ffpid=$( SSLKEYLOGFILE=/dev/fd/3 firefox &>/dev/null & echo $! )

Start wireshark with file descriptor 3 inherited from bash and with umask set to create user only accessible files, because you plan to save confidential files.

$ wspid=$( umask 077; wireshark &>/dev/null & echo $! ) 

Observe that both processes have inherited fd 3:

$ lsof -d3 -a -p$ffpid -p$wspid -p$$
 COMMAND   … FD … NAME
 bash      … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
 firefox   … 3u … /tmp/tmp.VQw5BPHFlc (deleted)
 wireshark … 3u … /tmp/tmp.VQw5BPHFlc (deleted)

Next tell wireshark to look for keys by opening and reading /dev/fd/3:

Edit -> Preferences -> Protocol -> SSL

Set the Pre Master Secret log filename field to /dev/fd/3

wireshark will open, read, and close /dev/fd/3 whenever it needs to learn a key.

$ strace -p $wspid -e open,read,close
 open("/dev/fd/3", O_RDONLY)             = 14
 read(14, "# SSL/TLS secrets log file, gene"..., 4096) = 4096
 read(14, "d570ba9a80f1cf21339b84f7a0292a32"..., 4096) = 4096
 read(14, "f877f2b17761c2bc39e852c2abb0a896"..., 4096) = 4096
 read(14, "2ec71ec4c692ae0fe0344562376230\nC"..., 4096) = 3317
 close(14)                               = 0
 

Start a wireshark capture, filtering for HTTPS traffic only:

Capture options -> Capture filter -> tcp port https

Then access the web page and view images, etc. that you want to save.  To save the images in wireshark:

File -> Export Objects -> HTTP

and wait until the list of objects is filled. Then you can save some or all HTTP objects to disk.

Sources:

https://developer.mozilla.org/en-US/docs/NSS_Key_Log_Format

http://ask.wireshark.org/questions/13855/tool-for-saving-files-html-php-etc-from-capture

http://www.reddit.com/r/netsec/comments/1kuevc/extracting_encryption_keys_from_firefox_and_using

Advertisements
This entry was posted in Uncategorized. Bookmark the permalink.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s